Can a backscan be forced?
Yes, there is a way to force a backscan on a Stairwell forwarder. Typically the main reason to force a backscan is if the initial backscan was skipped, but these steps will work in all cases.
Windows
You can use the following script to force a backscan on all versions of the Windows forwarder.
# restart_backscan.ps1 #
# Force a backscan to restart by clearing the existing backscan values from the registry, and restarting the forwarder service.
# Handles both legacy and modern versions of the Windows Forwarder.
#
# Must be run as Admin.
#
# Copyright Stairwell, Inc, 2024
function Write-Values {
param (
[string]$registryPath
)
$registryValues = Get-ItemProperty -Path $registryPath
$registryValues.PSObject.Properties | ForEach-Object {
if ($_.Name -ne "PSPath" -and $_.Name -ne "PSParentPath" -and $_.Name -ne "PSChildName" -and $_.Name -ne "PSDrive" -and $_.Name -ne "PSProvider") {
Write-Host " $($_.Name) = $($_.Value)"
}
}
}
function Reset-Backscan {
param
(
[string]$serviceName,
[string]$registryPath
)
$result = $false
# Check if the service exists
$service = Get-Service -Name $serviceName -ErrorAction SilentlyContinue
if ($null -eq $service) {
Write-Host "Service $serviceName does not exist. Skipping."
return $false
}
try {
# Stop the service
Write-Host "Stopping $serviceName..."
Stop-Service -Name $serviceName -Force -ErrorAction Stop
} catch {
Write-Host "Failed to stop the $serviceName service: $_"
Write-Host "Ensure that you are running with Admin rights."
return $false
}
# Check if the registry key exists
if (Test-Path $registryPath) {
# Print out the current registry values
Write-Host "Pre-modified values under $registryPath..."
Write-Values($registryPath)
# Delete any existing status
Remove-ItemProperty -Path $registryPath -Name "BackscanStatus" -Force -ErrorAction SilentlyContinue
Remove-ItemProperty -Path $registryPath -Name "BackscanComplete" -Force -ErrorAction SilentlyContinue
Remove-ItemProperty -Path $registryPath -Name "BackscanStarted" -Force -ErrorAction SilentlyContinue
Remove-ItemProperty -Path $registryPath -Name "TotalVolumes" -Force -ErrorAction SilentlyContinue
Remove-ItemProperty -Path $registryPath -Name "VolumesComplete" -Force -ErrorAction SilentlyContinue
Remove-ItemProperty -Path $registryPath -Name "FullVolumeScan" -Force -ErrorAction SilentlyContinue
# Make sure backscan is enabled
Set-ItemProperty -Path $registryPath -Name "FullVolumeScan" -Value 1 -Type DWord -Force
#
# Required due to a bug in pre 1.6.4 - remove any volume complete status's that we find.
#
$registryValues = Get-ItemProperty -Path $registryPath
# Regex pattern to match a GUID
$guidPattern = '[A-Fa-f0-9]{8}-[A-Fa-f0-9]{4}-[A-Fa-f0-9]{4}-[A-Fa-f0-9]{4}-[A-Fa-f0-9]{12}'
$registryValues.PSObject.Properties | ForEach-Object {
if ($_.Name -match $guidPattern) {
Write-Host "Found volume GUID value: $($_.Name)"
Remove-ItemProperty -Path $registryPath -Name $_.Name -ErrorAction SilentlyContinue
}
}
$result = $true
} else {
Write-Host "Registry key $registryPath does not exist. This is unexpected. Skipping registry configuration."
$result = $false
}
Write-Host "Post-modified values under $registryPath..."
Write-Values($registryPath)
# Start the service
try{
Write-Host "Starting $serviceName..."
Start-Service -Name $serviceName -ErrorAction Stop
} catch {
Write-Host "Failed to start the $serviceName service: $_"
return $false
}
return $result
}
Write-Host "`nWindows Forwarder Backscan Reset Script"
Write-Host "Version 1.0"
Write-Host "Copyright Stairwell, Inc., 2024`n"
# 1.4.x, 1.6.0+ - modern forwarder
$stairwellSuccess = Reset-Backscan -serviceName "StairwellForwarder" -registryPath "HKLM:\Software\Stairwell\SwellService"
# pre 1.4 or 1.5.1 - legacy forwarder
$inceptionSuccess = Reset-Backscan -serviceName "InceptionForwarder" -registryPath "HKLM:\Software\Stairwell\Inception"
# We expect to have exactly one forwarder on the machine
if ($stairwellSuccess -xor $inceptionSuccess) {
Write-Host "`Script ran succesffully."
} else {
Write-Host "`Script failed. Please contact Stairwell and provide the output of this command."
}
Linux
- Stop the Stairwell Service
- Remove the backscan file
/var/lib/stairwell/scansession.json
- Start the Stairwell service
systemctl stop stairwell
rm /var/lib/stairwell/scansession.json
systemctl start stairwell
Mac
- Delete Keychain entries for backscans
sudo security delete-generic-password -a FullDiskScanState
sudo security delete-generic-password -a FullScanStatus
- Reload the forwarder
sudo /Applications/Inception\\ Forwarder.app/Contents/MacOS/Inception\\ Forwarder uninstall-extension
sudo /Applications/Inception\\ Forwarder.app/Contents/MacOS/Inception\\ Forwarder install-extension
Updated 22 days ago